Home > Vulnerability Database > WS-2023-0117

Mend.io Vulnerability Database

WS-2023-0117

Date: August 19, 2025

Under-validated ComSpec and cmd.exe resolution was found in Mutagen projects. Mutagen projects offer shell-based execution functionality. On Windows, the shell is resolved using the standard %ComSpec% mechanism, with a fallback to a %PATH%-based search for cmd.exe. While this is the standard practice on Windows systems, it presents somewhat risky behavior. The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of Mutagen are no longer supported and will not be patched. Versions of Mutagen after v0.18.0 will also have the patch merged.

Language: Go

Severity Score

6.1

Related Resources (4)

Url: https://github.com/mutagen-io/mutagen/security/advisories/GHSA-fwj4-72fm-c93g

Url: https://github.com/mutagen-io/mutagen/commit/750bc9032da3a8a4ca947fb2480a2774dce8379d

Url: https://github.com/mutagen-io/mutagen

Url: https://www.mend.io/vulnerability-database/WS-2023-0117

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2023-0117

Date: August 19, 2025

Language: Go

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?